Is PAVE right for me?BlogNov 8, 2016James Simakas

Most likely yes – PAVE works for small teams and enterprises both and is cost-competitive with cloud solutions on any scale. Remote access (with associated web/mobile apps) is supported and hardware/support costs are nigh nonexistent (for small teams) or light (for enterprise deployment architectures.) It offers the full feature set of locally-hosted applications and cloud services on any scale, as it’s designed to compete with them directly.

Several competing factors require consideration when choosing a password manager: the scale of operation it must support, its inherent security, where its used (strictly local or with remote access) and of course the cost. Solutions dominating the market now are local applications (licensed software, typically run on your own servers) or cloud-based services charging annual fees. Licensed software applications are dominated by file-based encryption architecture; cheap, minimal overhead/support and reasonably secure, but scale’s limited to small teams and secure remote access is difficult (if available at all.) By contrast cloud services offer inherent remote access, eliminate backend management entirely and scale well to enterprise operations, but come at a steep cost (especially for enterprise) and expose user data to a much wider attack surface.

TeamPAVE combines the low cost and security of licensed software with the accessibility of cloud services- at any scale.

Small Scale – Locally-Hosted Software

These are password management programs that run entirely on business-owned hardware. Virtually all team solutions available on the market utilize file-based sync architecture: easy to implement, requires every user share the same master password and tends to eat your data when you actually try to sync data:

It’s exceedingly difficult to prevent two users from writing to the file at the same time, risking silent data loss from accidental over-writes. This prevents scaling past small teams, and edge-case “race conditions” which cause over-writes are very hard to entirely eliminate.

TeamPAVE uses databases instead, which are inherently designed to avoid race conditions. For small scale deployments PAVE employs SQLite – a single-file database easily provisioned and trivially backed up or replicated. There is no other maintenance needed, apart from security patches, and all management is done through the client GUI. Additionally TeamPAVE’s asymmetric key-signing architecture allows safe remote access (with web and mobile apps included) over the internet that file-based sync software cannot easily, without third-party file sync software.

Required infrastructure is negligible; TeamPAVE can easily run on legacy hardware or in small VMs.

Small Scale – Cloud Services

While traditional cloud benefits (managed deployments and support) can be done in-house at smaller scales, these services primary benefit from easy remote access that traditional file-based sync software can’t. The major downside is cost – most services charge annual license fees per-user, rather than a flat licensing fee (like TeamPAVE.) At industry-leader rates, TeamPAVE is cost-competitive at 10 users and half the cost by 20 users, and has very minimal management overhead even these scales.

Then there’s security issues. Cloud-based vendors are obvious targets for hackers – as are their hosting services and their data centers. This exponentially increases the number of personnel with access that can be targeted by social engineering attacks (spear-phishing, bribes, blackmail, etc.) Considering the thriving cybercrime market, where clients’ data is stolen en-mass from hosting providers and auctioned off piecemeal on “dark web” sites, small companies can’t count on being “too small to be worth the effort” anymore. With state-sponsored espionage programs reaching unprecedented intensity, there’s a likely buyer for anyone’s data.

TeamPAVE offers the flexible remote-access functionality without the security risks inherent to cloud services, as you can both host it on-premise, and have higher security when hosting externally: Not only has TeamPAVE more secure encryption, it also keeps the root of trust in your own company: With cloud services, you must rely on the provider for sharing public keys between users, who can (e.g. due to an undetected hack) be forced to hand out compromised man-in-the-middle keys. TeamPAVE has no such central authority, you get to keep the master keys.

Enterprise-Scale Cloud Solutions

Due to the inherent scale limits of software using file-based sync, cloud services have been the only option for enterprise-scale solutions (until now.) The “cloud” is distinct from datacenter hosting by offering bundled hardware/software management from the vendor’s staff rather than just renting you remote hardware. This makes scaling very easy, but since it’s effectively contracting out major IT services, it’s also very costly. TeamPAVE offers the same functionality with a server component simple and robust enough for in-house IT (or MSPs) to manage with ease. Enrolling new users and managing user groups takes less than a minute – without automated management features currently in development. Infrastructure overhead is very low; deployment depends on desired scale (whether you need database clustering and load-balanced application servers or not) but TeamPAVE scales far before it needs complicated set-ups: several hundreds of users before load-balancing becomes a concern even on commodity hardware, and many, many more before database clusters are needed. Combined with the flat license fee (compared to per-user licensing with cloud services) this allows harnessing economies-of-scale with your existing equipment and IT staff.

TeamPAVE’s enterprise-scale architecture is based on MySQL/PostgreSQL database servers, some of the most widely used and easily scalable database solutions in the world (Google, Facebook and Twitter all rely on it,) and the RESTful application server lends itself well to easy load-balancing and failover setups using standard tools. Fully encrypting databases is common practice for password managers, but TeamPAVE utilizes XSalsa20 encryption algorithm (rather than the weaker AES commonly used by others) and is hardened against database replay attacks and other common threats. This allows utilization of external storage (even cloud MySQL database services like Rackspace, HP Converged Cloud, Heroku, etc.) and cost consolidation if you already utilize said services. Unlike cloud-hosted password solutions, you still benefit from PAVE’s trust model, and all key trust derives from your trust root, not the provider’s.

Summary

TeamPAVE is a solution suited for most of the market: it offers small businesses cloud-service flexibility for a local solution’s price (and better security) and offers enterprise-scale companies massive cost savings by bringing password management services in-house with minimal backend overhead – and offers security flat-out superior to current cloud offerings.